Virtual Routers
Network -> Virtual Routers ADMINISTRATIVE DISTANCE: *'Static Routes' - default 10 *'EBGP' - default 20 *'OSPF Int '- default 30 *'OSFP Ext' - default 110 *'RIP '- default 120 *'IBGP' - default 200 Virtual routers enable the firewall to route packets at Layer 3 by making packet forwarding decisions according to the destination IP address. *Each Layer 3 interface, loopback, and VLAN interface should be associated with a virtual router. **Each interface can only belong to 1 virutal router. *Virtual routers can route to other virtual routers within the same firewall if a next hop is specified. *By default, the firewall comes pre-configured with a virtual router 'default' which includes all the interfaces. 'Routing Protocols' Provides support for static routing and dynamic routing using: *'Routing Information Protocol (RIPv2) ' **relies on hop count to determine routes; best routes have the fewest hops. **Max of 15 hops prevents routing loops. **Long convergence time *'Open Shortest Path First (OSPFv2)' **determines routes by dynamically obtaining information from other routers and advertising routes to other routers by Link State Advertisements (LSA). **A cost is assigned to each router interface; lowest costs are the best routes. **greater processor and memory requirements than RIP b/c it dynamically processes a considerable amount of route information. *'Border Gateway Protocol (BGPv4)' **Primary Internet routing protocol. **Determines network reachability based on IP prefixes that are available within autonomous systems (AS). ***AS = a set of IP prefixes that a network provider has designated to be part of a single routing policy. 'Administrative Distance:' Administrative Distance is used to define the best path when there are'' multiple'' paths from multiple protocols to the same destination. Route Metric is used within a single routing protocol. *The lower the Administrative value, the higher the path's priority. *Administrative Distance value that can be set ranges from 10 to 240. *An administrative distance of 255 will cause the router to "disbelieve" the route entirely and it will be excluded from the route selection process 'Route Metric': The route metric can be set to determine route selection when there are multiple paths to the same destination when a single routing protocol is used. Route metrics are not used when forwarding traffic through multiple protocols, Administrative Distance is used. *Lower metric values are preferred over higher values. *the following can be used to influence the metric's value: Bandwidth, network delay, hop count, path cost, load, reliability, monetary cost, and MTU. 'Multicast Routing' Multicast routing support: *'PIM-SM' (Protocol Independent Multicast Sparse Mode) *'PIM-SMM' (PIM Source Specific Multicast) *'IGMP '(Internet Group Management Protocol v1, v2, v3) Available in Virtual Wire and L3. Multicast routing feature allows the firewall to route multicast streams using PIM-SM and PIM-SSM for applications such as media broadcasting (radio and video) with PIMv2. The firewall performs IGMP queries for hosts that are on the same network as the interface on which IGMP is configured. 'Routing across IPSec Tunnels' Able to configure route-based VPNs to connect to PAN firewalls at central and remote sites or to connect PAN firewalls with third party security devices at other locations. *With route based VPNs, the firewall makes a routing decision based on the destination IP address. *If traffic is routed to a specific destination through a VPN tunnel, then it is encrypted as VPN traffic. *It is not necessary to define special rules or to make explicit reference to a VPN tunnel; routing and encryption decisions are determined by the destination IP address. 'Redistribution Profile': *'Route Redistribution' = networks that are running multiple dynamic routing protocols such as RIPv2, OSPF, or BGP may need to redistribute routes into the dynamic routing protocols *'Route Filtering' = Used to filter the route prefixies that are advertised between one routing protocol to another or from one autonomous system to another. Redistribution Profiles are the only way to exchange routing information between protocols. *Profile-based approach for route redistribution and filtering between protocols, static routes, connected routes and hosts. *When multiple Profiles are used, the ordering is important. The PRIORITY field is used to prioritze the redistribution profiles to allow redistribution inclusion or exclusion to take place when you want to include some routes in the redistribution and exclude others. *The lower priority numbers are matched first and the priority value can range from 1 to 255. Network -> Virtual Router -> Redistribution Profile -> Add *'Redistribute' -> "Redist" = to include routes to be redistributed from one protocol to another. *'Redistribute' -> "No Redist" = to exclude routes from the redistribution event. *'New Metric' = used to assign a route metric value to the routes being redistributed. *'Priority' = when multiple profiles are defined, the lower priority values are matched first. 'CLI COMMAND:' to see routing table on the PAN: *>'' show routing route'' **'''Metric = displays the route metric value for each of the destinations ***Locally connected routes are assigned a value of zero '''OSPF: *show routing protocol redist ospf virtual-router * show routing protocol redist ospfv3 virtual-router *show routing protocol ospf summary virtual-router *show routing protocol ospf area virtual-router *show routing protocol ospf interface virtual-router *show routing protocol ospf virt-link virtual-router *show routing protocol ospf neighbor virtual-router *show routing protocol ospf virt-neighbor virtual-router *show routing protocol ospf lsdb virtual-router *show routing protocol ospf dumplsdb virtual-router *show routing protocol ospf graceful-restart virtual-router *show routing protocol ospfv3 summary virtual-router *show routing protocol ospfv3 area virtual-router *show routing protocol ospfv3 interface brief virtual-router *show routing protocol ospfv3 virt-link virtual-router *show routing protocol ospfv3 neighbor brief virtual-router *show routing protocol ospfv3 virt-neighbor brief virtual-router 'Tech Doc:' Understanding Route Redistribution: *https://live.paloaltonetworks.com/docs/DOC-5284